The last time we caught up with Geoff Belknap, Slack’s chief security officer, we asked what kept him up at night. His response was immediate: providing the most secure product and protecting customer data. “I take all the things that keep me up at night, or that keep our customers up at night, and then convert them into plans, metrics and accountability,” he added.
And so, as part of our continued commitment to protecting customer data, we’re launching Slack Enterprise Key Management (Slack EKM)—an add-on feature to Enterprise Grid that lets you (the customer) bring your own encryption keys to Slack so that you have complete visibility and control over your data.
What does that mean for our most security-conscious customers? We asked Belknap to break it down.
Geoff Belknap: Slack already encrypts your data in transit and at rest. But Slack EKM basically adds an extra layer of protection so that customers—especially those in regulated industries—can share conversations, data and files on Slack, all while still meeting their own risk mitigation requirements.
There are a couple of things that make Slack EKM distinctive. First, by allowing customers to bring their own encryption keys (which are then managed in Amazon’s AWS KMS), customers have a lot more control and visibility over their most sensitive data.
But what actually makes the design of our system so unique is that, in the case of an incident let’s say, rather than revoking access to the entire product, admins can choose to revoke access in a very granular, highly targeted manner. That granular revocation ensures that teams continue working while admins suss out any risks.
GB: Organizations that are security-minded, especially in highly regulated markets—such as financial services, health care and government—are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs.
Find out how Slack EKM works and how it enables Enterprise Grid customers to have greater visibility and control over their data.Learn More
GB:You, the customer, are in full control over your own encryption keys and when or if you want to revoke them. And, apart from being able to control access very granularly, you can also see how your data is being used. Detailed activity logs in Amazon’s AWS KMS tell you exactly when and where your data is being accessed.
GB:We actually designed Slack EKM to mitigate against that. Unlike other solutions, ours isn’t all or nothing. You can revoke access in a very precise way if you need to.
Customers can decide to revoke access to data at certain times of day and in certain channels, for example. So if there’s a concern, you don’t have to just hit a button and shut down Slack completely, blocking all your different teams and departments from accessing the tool. Of course, you can make that decision, too, but the idea is that this solution makes securing your data much easier without restricting access to features that people rely on to do their day-to-day work.
GB:Whether you’re one of the largest enterprises on the planet or a couple of people collaborating on a free Slack workspace, I think it’s important to remember the basics:
- Always know who you’re inviting to your Slack workspace
- Make smart decisions about which apps you use and who has permission to add them
- Always review your access logs so that you can look out for any inappropriate behaviors. For example, Slack will notify you if one of your API keys has been exposed. Slack will also tell you when your users log in from new IP addresses. Use that information to protect your users and make good decisions about security
GB: Being a chief security officer is a hard job, but I’m very lucky I get to do it at Slack. From the board level down, everyone sees security as integral to Slack’s success and our customers’ success.